Publications

On October 28, 2014, the California Attorney General released a report revealing that more than 18.5 million California residents were victims of data breaches in 2013.[1] That statistic represents a staggering 600% increase over the number of Californians affected by data breaches in 2012[2] and echoes similarly gloomy data breach statistics reported earlier this year by data security researches at Verizon,[3] PwC,[4] and the Ponemon Institute.[5]

Collectively, these reports highlight a national trend: U.S. businesses are struggling to adequately secure the personal information on their networks.[6] Despite the explosion of data breaches, companies generally have not adapted their business practices to prevent breaches or mitigate the harm that they cause to consumers. Further, the reports indicate that companies continue to view and manage cybersecurity risk as an information technology matter and not as an issue mandating direct boardroom attention.[7] This is a dangerous approach.

The Risk is Universal

The reports illustrate that an alarming wave of cyber-related incidents is occurring throughout the country.[8] In fact, the Ponemon Institute found that 43% of the companies it polled had been involved in a data breach, an increase of 10% over the prior year.[9] The same study found that even though the number of companies with data and privacy policies has improved, most companies believe that they are ill-equipped to deal with the consequences of a data breach.[10]

The Costs are Real

The costs associated with data breaches are also on the rise. The Ponemon Institute found that the average cost associated with a data breach increased over the last year from $136 to $145 per record.[11] The average total cost of a data breach for a company in 2014 was $3.5 million dollars.[12]

Data breach costs include both the direct and indirect costs associated with a breach. Direct costs include the cost of investigating the breach, providing credit monitoring services, and paying fines or penalties. Some costs, including fines imposed by state and federal enforcement agencies, are widely publicized and allow companies to engage in purposeful risk evaluation. For example, in October 2014 TD Bank reached an $850,000 multi-state settlement, led by Connecticut’s Office of the Attorney General, to resolve a 2012 data breach involving the exposure of the personal data of 260,000 customers resulting from the loss of unencrypted backup tapes.[13] Companies easily can compare their own situations to the facts that led to fines and penalties levied in previous enforcement cases. Companies may be less prepared for the indirect costs associated with a breach, including the loss of current and future customers and the increased cost of acquiring new customers.[14]

Together, the direct and indirect costs of data breaches are often substantial. In fact, in 2013, breaches cost organizations doing business in New York more than $1.3 billion dollars,[15] which is itself a conservative estimate because many data breaches are never reported.

Recommended Practices

These reports illustrate that companies face a growing risk of being confronted with a cyberincident. Given the rising costs associated with these events, businesses must be prepared to prevent and respond accordingly.

Every organization and industry faces unique challenges regarding data breaches. The following recommendations, gleaned from the aforementioned reports and our professional experiences, are best practices that should be considered by all organizations.

Establish proper governance procedures

• Preparation begins in the corporate boardroom—cyber security cannot be managed solely as an IT matter but rather must be seen as a risk to be managed at the highest levels.
• Board and management oversight and accountability must accompany cyber failures and losses.

Establish an information security program

• Implement an information security program that includes a written information security plan.
• The NIST Cybersecurity Framework developed is being considered by some industries and the government as a possible unified process benchmark for cyber security—understand what the Cybersecurity Framework is and how it applies to your security program.[16]
• Perform periodic risk assessments and revise your privacy and information security practices based on the results.
• Research which types of threats your industry is most vulnerable to and adapt your practices accordingly.
• Ensure that the hardware and software used by your organization are updated with the latest security patches.

Establish data handling procedures

• Understand the information that your business collects, where it is stored, how it is used, and who can access it.
• Minimize the collection of unnecessary information.
• Ensure that information is not retained past its useful life.
• Employ strong encryption solutions to protect sensitive information on laptops, desktops, external hard drives, and mobile devices.
• Employ strong encryption solutions to protect data traveling over public and private networks.
• Devalue consumer financial information by using tokenization and encryption technologies.
• Work with your suppliers, especially financial institutions, to ensure that shared consumer information is protected.

Prepare for incident response

• Create and practice executing an incident response plan that emphasizes notifying affected individuals in the most expedient time possible, without unreasonable delay.
• Identify an incident response team that includes members of senior management as well as legal and information technology experts.
• Provide victims of data breaches with free mitigation services such as credit monitoring.
• Improve the readability of breach notices by removing “legalese.”
• Consider using substitute notices for payment card data breaches.

The recent spate of cybersecurity incidents plaguing businesses is unlikely to decrease in the near future. Companies today have access to massive amounts of data that must be secured during use, transmission, and storage. For a host of reasons—some malicious, some accidental—portions of this data inevitably will be lost. While there is no method short of ceasing business operations to eliminate this risk, implementing the recommendations above will help manage risk appropriately.